[remaerd]

As an user of 1Password and indie app developer myself. I don't think talking about this question in YCNews is not a nice gesture.

You are talking about an outdated data format which AgileBit had dropped. They already provide OPVault to solve the problem. What do you expect they want to fix?

Some of the readers may only skim the title of this article / They don't understand the technical details. So they will assume that 1Password IS NOT SAFE. It's a minor bug which will affects almost no one. But this article ( Title ) will affects so many people's impression on 1Password. You are just writing an article to punish AgileBit.

(Update: I was wrong about the Agile Keychain being dropped. It's still using in Dropbox Syncing but iCloud/CloudKit)

[Velox]

That's absolutely not the case. My issue is that AgileBits need to push the new format over the old one. The old one is still the default. Most users, my self included, have no idea that the old format is insecure, or that a new format exists.

The article has very limited technical details to avoid confusing people who don't know what they are doing, but the reality is that if they are reading my blog, or are reading HN then they have the technical details to understand something much more complex than what I wrote.

I clearly state at the bottom of the article that the software still keeps your passwords secure and that I will continue to use 1Password. AgileBits still have my full support, I just want them to inform the users the downsides of using agile keychain, and to use OPVault by default.

[remaerd]

The old format is not 'Default' but Dropbox Sync users. I'm using iCloud Sync and I'm not affect by these problem.

My point being why you are talking about these issues in YCNews but their forum. Most of us just read 140 characters but an article, This is how information transfer today. I'm not finding excuses for AgileBits. The problem you mention need to be fix. But it's important where you talk about it. If there's a news said your product 'Leaking your data' in YCNews, and everybody will know that '1Password is leaking data', but 'The author of this article is still using 1Password'.

[parennoob]

> My point being why you are talking about these issues in YCNews but their forum.

This is the flip side of "software as a consumer product" that sells for $60. If it's open source, the author could have discussed it on the bugtracker, posted to the mailing list / forum, or even just recompiled to use the old format by default, and you would have been justified in asking them to do so.

A commercial product that sells for $60? That's like a toaster oven or something. If my toaster oven is malfunctioning, I'm not going to go complain on their forum, I'm going to air my grievances in public and demand a new toaster (in this case, an updated version of 1Password).

[Karunamon]

What do you expect they want to fix?

As a very recent 1password user: Make the more secure format the default for new installs. Enable migration to that format without this braindead[1] process.

[1]: https://support.1password.com/switch-to-opvault/

They charge upwards of $60 for a full Mac/Windows/iOS suite of this software. I really don't think this is asking much.

[tptacek]

They're working doing that (it's already the default for local storage and iCloud, right?). I don't think the issue here is code as much as it is "you can't break people's already-deployed password vaults"; for a lot of their users, that kind of breakage is almost as bad as losing data.

[Karunamon]

Which would make sense, but isn't that an argument for appropriate warnings and a checkbox under sync preferences rather than functionally undocumented defaults hacking? This weakness has been public knowledge since at least 2012(!), so I'm forced to consider why they're so blasé about their customer's data.

I would never have started syncing with Dropbox had I known this. They have access to my site list now.

[bad_user]

I'm a new client of 1Passwords and I bought licenses for OSX, Windows, Android and iOS because I'm a multi-platform kind of guy. I also have a Linux workstation and figured that I'll just generate passwords on my phone and then use the 1Password Everywhere dump on Linux. And I decided to use 1Password because it has this portable read-only interface.

Are you telling me that I've got a choice between the safety of my data and dropping functionality for which I paid for? Do you even know if OPVault works in the Android client? But forget Android, does it work with Dropbox syncing? Some posts from their forums claims it doesn't.

Also this isn't a bug. It was a conscious design decision. Now I wonder if I can ask for a refund.

[grey-area]

Can't you use wifi sync?

[balu_]

There is no linux client to sync too

[calebio]

Not a perfect solution by any means but the Windows version runs pretty well with Wine. Even works with the browser extensions.

I ended up just buying the Windows version because I was so tired of 1Password Everywhere.

[therealmarv]

OPVault works not in Android.

[ascorbic]

It may be an outdated data format, but they certainly haven't dropped it. It's still the default format for syncing, presumably because 1Password for Android doesn't support OPVault yet.

https://support.1password.com/switch-to-opvault/

[m1keil]

they didn't drop it, it's still the default data format.

[grey-area]

This is the best explanation I've found:

https://support.1password.com/switch-to-opvault/

According to them, if you sync to dropbox or an external folder and use their default external file format for it, you might expose metadata, otherwise, you're fine.

[remaerd]

“Default data format” is not correct. Data / Backup stores in a SQLite database locally. OPVault in iCloud, Agile Keychain for Dropbox / Folder Sync.

[m1keil]

fair enough